Commit9450c96

committed

ImplementonlyAllowOrigins

This funnels into the socket.io `origins` config, but only supports using an array of strings. It's also stricter in how it matches the origin against the whitelist.

1 parent50bc415 commit9450c96Copy full SHA for 9450c96

File tree

4 files changed

+86

-0

lines changed

lib
package.json

4 files changed

+86

-0

lines changed

`‎lib/configure.js‎`

Lines changed: 21 additions & 0 deletions

Original file line number	Diff line number	Diff line change
`@@ -5,6 +5,7 @@`
`5`	`5`	`var_=require('lodash');`
`6`	`6`	`varUrls=require('machinepack-urls');`
`7`	`7`	`varERRORPACK=require('./errors');`
	`8`	`+varcheckOriginUrl=require('./util/check-origin-url');`
`8`	`9`
`9`	`10`
`10`	`11`
`@@ -47,6 +48,26 @@ module.exports = function ToConfigure(app) {`
`47`	`48`	`);`
`48`	`49`	`}`
`49`	`50`
	`51`	`+// config.sockets.onlyAllowOrigins must be an array.`
	`52`	`+if(!_.isUndefined(app.config.sockets.onlyAllowOrigins)&&!_.isArray(app.config.sockets.onlyAllowOrigins)){`
	`53`	+thrownewError('If `sails.config.sockets.onlyAllowOrigins` is defined, it must be an array of origins.');
	`54`	`+}`
	`55`	`+`
	`56`	`+// Warn if config.sockets.onlyAllowOrigins is not defined in production.`
	`57`	`+if(_.isUndefined(app.config.sockets.onlyAllowOrigins)&&process.env.NODE_ENV==='production'){`
	`58`	+app.log.warn('No `sails.config.sockets.onlyAllowOrigins` setting was detected.');
	`59`	`+app.log.warn('In a production environment, this setting is recommended for');`
	`60`	`+app.log.warn('security reasons.\n');`
	`61`	`+}`
	`62`	`+`
	`63`	`+// Validate all origins in config.sockets.onlyAllowOrigins.`
	`64`	`+if(_.isArray(app.config.sockets.onlyAllowOrigins)){`
	`65`	`+_.each(app.config.sockets.onlyAllowOrigins,function(origin){`
	`66`	`+checkOriginUrl(origin);`
	`67`	`+});`
	`68`	`+}`
	`69`	`+`
	`70`	`+`
`50`	`71`	`// Adapter options`
`51`	`72`	`// =================================`
`52`	`73`

`‎lib/initialize.js‎`

Lines changed: 9 additions & 0 deletions

Original file line number	Diff line number	Diff line change
`@@ -3,6 +3,7 @@`
`3`	`3`	`*/`
`4`	`4`
`5`	`5`	`varSocketIO=require('socket.io');`
	`6`	`+var_=require('lodash');`
`6`	`7`	`varparseSdkMetadata=require('./parse-sdk-metadata');`
`7`	`8`	`varToHandleNewConnection=require('./on-connect');`
`8`	`9`	`varToBuildSocketsMethods=require('./sails.sockets');`
`@@ -95,6 +96,14 @@ module.exports = function ToInitialize(app) {`
`95`	`96`	`if(app.config.sockets.cookie){`
`96`	`97`	`opts.cookie=app.config.sockets.cookie;`
`97`	`98`	`}`
	`99`	`+if(app.config.sockets.onlyAllowOrigins){`
	`100`	`+opts.origins=function(origin,cb){`
	`101`	`+if(_.contains(app.config.sockets.onlyAllowOrigins,origin)){`
	`102`	`+returncb(null,true);`
	`103`	`+}`
	`104`	`+returncb(null,false);`
	`105`	`+};`
	`106`	`+}`
`98`	`107`	`returnopts;`
`99`	`108`	`})());`
`100`	`109`

`‎lib/util/check-origin-url.js‎`

Lines changed: 55 additions & 0 deletions

Original file line number	Diff line number	Diff line change
`@@ -0,0 +1,55 @@`
	`1`	`+/**`
	`2`	`+ * Module dependencies`
	`3`	`+ */`
	`4`	`+`
	`5`	`+var_=require('lodash');`
	`6`	`+varurl=require('url');`
	`7`	`+varflaverr=require('flaverr');`
	`8`	`+`
	`9`	`+`
	`10`	`+/**`
	`11`	`+ * checkOriginUrl()`
	`12`	`+ *`
	`13`	`+ *@param {String} originUrl`
	`14`	`+ * The origin URL to check.`
	`15`	+ * (This is used when parsing the relevant config from within `sails.config.security`
	`16`	+ * or `sails.config.sockets`.)
	`17`	`+ *`
	`18`	`+ *@throws {Error} if not valid`
	`19`	`+ *@property {String} code (==='E_INVALID')`
	`20`	`+ */`
	`21`	`+`
	`22`	`+module.exports=functioncheckOriginUrl(originUrl){`
	`23`	`+`
	`24`	`+if(!_.isString(originUrl)\|\|originUrl===''){`
	`25`	`+throwflaverr('E_INVALID',newError('Must specify a non-empty string, but instead got: '+util.inspect(originUrl,{depth:null})));`
	`26`	`+}`
	`27`	`+`
	`28`	`+if(!originUrl.match(/^https?:\/\//)){`
	`29`	`+throwflaverr('E_INVALID',newError('Must specify a protocol like http:// or https://, but instead got: '+originUrl));`
	`30`	`+}`
	`31`	`+`
	`32`	`+// Now do a mostly-correct parse of the URL.`
	`33`	`+varparsedOriginUrl=url.parse(originUrl);`
	`34`	`+`
	`35`	`+varisHttps=parsedOriginUrl.protocol==='https:';`
	`36`	`+`
	`37`	`+if(isHttps&&parsedOriginUrl.port==='443'){`
	`38`	`+throwflaverr('E_INVALID',newError('Should not explicitly specify port 443 with https:// (it is implied). But instead got: '+originUrl));`
	`39`	`+}`
	`40`	`+if(!isHttps&&parsedOriginUrl.port==='80'){`
	`41`	`+throwflaverr('E_INVALID',newError('Should not explicitly specify port 80 with https:// (it is implied). But instead got: '+originUrl));`
	`42`	`+}`
	`43`	`+`
	`44`	`+// Ensure there is no path or query string or fragment or anything like that.`
	`45`	`+if(parsedOriginUrl.pathname!=='/'\|\|parsedOriginUrl.path!=='/'){`
	`46`	+throwflaverr('E_INVALID',newError('Should not specify a path, query string, URL fragment, or anything like that (but instead, got `'+originUrl+'`)'));
	`47`	`+}`
	`48`	`+`
	`49`	`+// Ensure there is no trailing slice`
	`50`	`+varlastCharacter=originUrl.slice(-1);`
	`51`	`+if(lastCharacter==='/'){`
	`52`	`+throwflaverr('E_INVALID',newError('Should not specify a trailing slash, but instead got: '+originUrl));`
	`53`	`+}`
	`54`	`+`
	`55`	`+};`

`‎package.json‎`

Lines changed: 1 addition & 0 deletions

Original file line number	Diff line number	Diff line change
`@@ -10,6 +10,7 @@`
`10`	`10`	`],`
`11`	`11`	`"dependencies": {`
`12`	`12`	`"async":"2.0.1",`
	`13`	`+"flaverr":"^1.0.0",`
`13`	`14`	`"lodash":"3.10.1",`
`14`	`15`	`"machinepack-urls":"^3.1.1",`
`15`	`16`	`"semver":"4.3.6",`

0 commit comments

Comments

(0)

Movatterモバイル変換

Navigation Menu

Search code, repositories, users, issues, pull requests...

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Commit9450c96

File tree

4 files changed

4 files changed

`‎lib/configure.js‎`

`‎lib/initialize.js‎`

`‎lib/util/check-origin-url.js‎`

`‎package.json‎`

0 commit comments